Screenshot Authenticity Explained: Cryptographic Proof in Every Capture

The Problem
The Visible Banner
Understanding Each Field
How the Chain Works Together
What This Means in Practice
Verifying a Screenshot
Technical Standards Used
Key Takeaways
Frequently Asked Questions

The Problem

Screenshots are easy to fabricate. Anyone with an image editor can alter a screenshot, change text, modify numbers, or forge entire pages. A screenshot tool with metadata solves this problem by embedding verifiable evidence directly into the capture. In industries like construction, where screenshots of payment portals, change orders, and project records may serve as evidence in disputes, the integrity of a screenshot is critical.

Stash solves this by embedding a cryptographic chain of evidence directly into every screenshot at the moment of capture. This metadata is invisible to the naked eye but machine-verifiable — a tamper-evident seal baked into the image file itself.

Every Stash screenshot includes a dark metadata banner at the bottom of the image. This banner displays key provenance information in human-readable form:

Line	Color	Contents
Line 1	White	URL, page title, capture timestamp
Line 2	Gray	Browser version, viewport size, Stash version
Line 3	Green	Portal context — logged-in user, company, project (when detected)
Line 4	Blue	Security protocol, extension ID, attestation ID
Line 5	Blue	DOM SHA-256 hash

The real power is in the invisible metadata embedded in the PNG file.

Understanding Each Field

ATT — Attestation ID

What it is: A universally unique identifier (UUID) generated at the moment of capture. Example: att:3f7a9b2e-8c4d-4e1f-a6b3-9d2e1f4a8c7b

Why it matters: The attestation ID links the local screenshot to a server-side record. When Stash captures a screenshot, it sends this ID to a secure attestation server along with the image hash. The server signs the data with its own cryptographic key and records the exact time. This creates an independent, tamper-proof timestamp — proving the screenshot existed at a specific moment in time, not just when the user's clock said it did.

Think of it as a digital notary stamp. Your local device says "I took this screenshot." The server independently confirms "Yes, I saw the evidence at this exact time."

DOM SHA-256 — Page Content Hash

What it is: A SHA-256 cryptographic hash of the entire HTML source code of the page at the exact moment the screenshot was taken. Example: DOM SHA-256: a3f8b2e1c4d7... (64 hex characters)

Why it matters: A screenshot is just pixels — it shows what the page looked like. The DOM hash captures what the page actually was: every element, every attribute, every hidden field, every piece of data in the HTML source. If even a single character in the page's HTML was different, the hash would be completely different.

This means:

You can prove the page content matched what was visually displayed
Hidden elements (data attributes, form values, metadata) are captured even if not visible
Any alteration to the page after capture would produce a different hash
Two people viewing the same page at the same time would produce the same DOM hash

SHA-256 is the same cryptographic algorithm used in Bitcoin, TLS certificates, and government document signing. It's computationally infeasible to find two different inputs that produce the same hash.

Image Hash — Pixel Content Hash

What it is: A SHA-256 hash of the raw pixel data (every red, green, blue, and alpha value of every pixel) computed before the banner is drawn on the image.

Why it matters: This proves the visual content of the screenshot hasn't been altered. If someone edits even one pixel in the image, the hash will no longer match. The hash is computed from the raw pixel data, not the compressed PNG — this means even re-saving the image with different compression settings won't match.

The image hash cannot appear in the banner itself (that would create a circular dependency — changing the banner changes the pixels which changes the hash). It lives only in the embedded metadata.

Security Protocol — HTTPS/HTTP

What it is: Whether the captured page was served over a secure (HTTPS) or insecure (HTTP) connection. Displayed as a lock icon in the banner.

Why it matters: HTTPS ensures the page content came from the authentic server and wasn't intercepted or modified in transit. A screenshot of an HTTPS page has stronger provenance than one from an HTTP page, because you know a man-in-the-middle attack didn't alter the content before it reached the browser.

Extension ID — Chrome Extension Identity

What it is: Chrome's unique identifier for the installed Stash extension. Example: ext:abcdefghijklmnop

Why it matters: This proves the screenshot was captured by the genuine Stash extension, not a copycat or modified version. Chrome assigns a stable, unique ID to each extension based on its signing key. This ID can be verified against the official Stash extension listing.

Local ECDSA Signature

What it is: A cryptographic signature created using the ECDSA P-256 algorithm with a private key stored securely on the user's device.

Why it matters: The extension signs ALL metadata fields together with a single signature. If anyone changes any field — the URL, timestamp, image hash, DOM hash, or anything else — the signature becomes invalid. It's a tamper-evident seal over the entire evidence package.

The corresponding public key is also embedded, so anyone can mathematically verify the signature is valid without needing access to the private key.

ECDSA P-256 is the same algorithm used by Apple for code signing, by banks for transaction authentication, and by FIDO2/WebAuthn for passwordless login.

Server Signature and Server Timestamp

What it is: An independent cryptographic signature and timestamp from Stash's attestation server.

Why it matters: The local device's clock can be manipulated. The server provides an independent, trusted timestamp — its own clock, its own signature. The server receives the image hash, DOM hash, and attestation ID, then:

Records the exact time it received the evidence
Signs everything with its own private key (which the user never has access to)
Returns the signature and timestamp to be embedded in the image

This creates dual-party attestation: both the local device and an independent server vouch for the screenshot's existence and content at a specific time.

Certificate Transparency Fingerprints

What it is: SHA-256 fingerprints of TLS certificates issued to the captured domain, retrieved from public Certificate Transparency (CT) logs.

Why it matters: Certificate Transparency is a public, append-only ledger where certificate authorities must record every TLS certificate they issue. By recording which certificates existed for the domain at capture time, Stash provides forensic evidence that:

The domain had valid TLS certificates at capture time
The certificates were issued by recognized certificate authorities
No unauthorized certificates were in circulation (which could indicate a man-in-the-middle attack)

Portal Context — User, Company, Project

What it is: The logged-in user's identity, company name, project name, and page context extracted from the page's DOM.

Why it matters: For construction portals like Procore, Textura, and GC Pay, knowing who was logged in and what project they were viewing is critical context. Stash detects these portals and extracts:

Authenticated user — the name displayed in the portal's UI
Email — if available in the DOM or browser storage
Company — the organization the user belongs to
Project name and ID — the specific project being viewed
Page context — breadcrumbs or page title indicating what section was captured

How the Chain Works Together

The full evidence chain executes in twelve steps, from the moment you click the Stash icon to the final saved image:

User clicks Stash icon
        |
        v
[1] Capture DOM HTML ──────────> SHA-256 ──> DOM Hash
[2] Capture page pixels ───────> SHA-256 ──> Image Hash
[3] Extract portal context ────> User, Company, Project
[4] Record security state ─────> HTTPS, Extension ID
[5] Generate Attestation ID ───> UUID
        |
        v
[6] Bundle ALL fields together
        |
        v
[7] Sign with local ECDSA key ──> Local Signature
        |
        v
[8] Send to attestation server
        |
        v
[9] Server records timestamp ──> Server Timestamp
[10] Server signs everything ──> Server Signature
[11] Server queries CT logs ───> Certificate Fingerprints
        |
        v
[12] Embed ALL metadata into PNG file
        |
        v
    Screenshot saved with full evidence chain

What This Means in Practice

Dispute Resolution

A Stash screenshot isn't just a picture — it's a signed, timestamped, hash-verified evidence package. If someone claims "that screenshot was altered" or "that page never showed that," the cryptographic evidence can be independently verified.

Compliance

Industries with documentation requirements can point to Stash screenshots as having a verifiable chain of custody from capture to storage.

Trust

When sharing screenshots with colleagues, clients, or legal teams, the embedded attestation provides confidence that what they're seeing is exactly what was on screen — no more, no less.

Verifying a Screenshot

Use the included verification tool:

python3 verify-screenshot.py screenshot.png

This reads all embedded metadata and displays it in categorized sections:

Basic Info — URL, timestamp, browser
Portal / User Context — logged-in user, company, project
Authenticity — image hash, DOM hash, security protocol
Cryptographic Signatures — local + server ECDSA signatures, public keys

Technical Standards Used

Technology	Standard	Used For
SHA-256	FIPS 180-4	Content hashing (image + DOM)
ECDSA P-256	FIPS 186-4	Digital signatures (local + server)
JWK	RFC 7517	Key exchange format
UUID v4	RFC 4122	Attestation identifiers
PNG tEXt	ISO/IEC 15948	Metadata embedding
Certificate Transparency	RFC 6962	TLS certificate verification

Key Takeaways

Every Stash screenshot contains a cryptographic chain of evidence — SHA-256 hashes, ECDSA signatures, and server attestation — embedded directly in the PNG file.
The DOM hash captures what the page actually was (every HTML element), not just what it looked like in pixels.
Dual-party attestation means both the local device and an independent server vouch for the screenshot's existence and timing.
ECDSA P-256 signatures create a tamper-evident seal: changing any metadata field invalidates the entire signature.
Certificate Transparency fingerprints provide forensic evidence that the domain had valid TLS certificates at capture time.
Construction portals like Procore and Textura get automatic context extraction — logged-in user, company, project, and page context.

Frequently Asked Questions

What is screenshot authenticity?

Screenshot authenticity is the ability to cryptographically verify that a screenshot has not been altered since the moment of capture. Stash achieves this by embedding SHA-256 hashes, ECDSA digital signatures, and server-side attestation directly into the PNG file's metadata at capture time.

How does Stash verify a screenshot hasn't been tampered with?

Stash computes SHA-256 hashes of both the raw pixel data and the page's DOM HTML at the exact moment of capture. These hashes, along with all other metadata fields, are signed with an ECDSA P-256 digital signature. Changing even one pixel or one character invalidates the hash and breaks the signature.

What is an attestation ID in a Stash screenshot?

An attestation ID is a universally unique identifier (UUID) generated at the moment of capture. It links the local screenshot to a server-side record where an independent attestation server signs the evidence with its own cryptographic key and records the exact time — functioning as a digital notary stamp.

Can someone forge a Stash screenshot?

No. Altering any field in the metadata — the URL, timestamp, image hash, DOM hash, or any other value — invalidates the ECDSA signature. The server-side attestation provides an independent second signature that the forger cannot reproduce without access to the attestation server's private key.

What cryptographic standards does Stash use for screenshot authenticity?

SHA-256 (FIPS 180-4) for content hashing, ECDSA P-256 (FIPS 186-4) for digital signatures, JWK (RFC 7517) for key exchange, UUID v4 (RFC 4122) for attestation identifiers, PNG tEXt (ISO/IEC 15948) for metadata embedding, and Certificate Transparency (RFC 6962) for TLS certificate verification.

Why does Stash need a server for screenshot attestation?

The local device's clock can be manipulated. The attestation server provides an independent, trusted timestamp — its own clock and its own cryptographic signature. This creates dual-party attestation: both the local device and an independent server vouch for the screenshot's existence and content at a specific time.

What industries benefit from authenticated screenshots?

Construction, legal, compliance, and financial services benefit most. Any industry where screenshots of payment portals, change orders, project records, or other documents may serve as evidence in disputes gains value from a cryptographically verifiable chain of custody.

References and Further Reading

NIST, "FIPS 180-4: Secure Hash Standard (SHS)" — specification for SHA-256
NIST, "FIPS 186-4: Digital Signature Standard (DSS)" — specification for ECDSA P-256
RFC 7517, "JSON Web Key (JWK)" — key exchange format used for embedded public keys
RFC 6962, "Certificate Transparency" — public TLS certificate logging standard
ISO/IEC 15948, "PNG Specification" — tEXt chunk format for metadata embedding
RFC 4122, "A Universally Unique IDentifier (UUID) URN Namespace" — UUID v4 generation